staging -> production

.github/workflows/main.yml

@@ -13,36 +13,74 @@ jobs:
 
       - name: Check dependencies for security vulnerabilities
         uses: g-rath/check-with-osv-detector@main
-  build:
+  tests:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v1
     - run: cp example.env .env
-    - name: Build the docker-compose stack
-      run: docker-compose up -d
+    - name: Build the docker compose stack
+      run: docker compose up -d
     - name: Check running containers
       run: docker ps -a
     - name: Check logs
-      run: docker-compose logs backend
+      run: docker compose logs backend
     - name: Run test suite
-      run: docker-compose run backend bin/runtests.py
+      run: docker compose run backend bin/runtests.py
+
+  deploy_to_uat:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
+    needs:
+      - check-dependencies
+      - tests
+    environment:
+      name: uat
+      url: https://signbank-uat.nzsl.nz
+    steps:
+    - uses: actions/checkout@v1
+    - run: curl https://cli-assets.heroku.com/install-ubuntu.sh | sh
+    - run: cp example.env .env
+    - name: Build the docker compose stack
+      run: docker compose up -d
+    - name: Check running containers
+      run: docker ps -a
+    - name: Check logs
+      run: docker compose logs backend
     - name: Deploy app to UAT
-      if: github.ref == 'refs/heads/master'
       env:
         HEROKU_API_KEY: ${{secrets.HEROKU_UAT_API_KEY}}
         HEROKU_APP_NAME: ${{secrets.HEROKU_UAT_APP_NAME}}
       run: |
         echo $HEROKU_API_KEY | docker login --username=_ --password-stdin registry.heroku.com
-        docker tag $(docker-compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
+        docker tag $(docker compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
         docker push registry.heroku.com/$HEROKU_APP_NAME/web
         heroku container:release web -a $HEROKU_APP_NAME
+  deploy_to_production:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/production'
+    needs:
+      - check-dependencies
+      - tests
+    environment:
+      name: production
+      url: https://signbank.nzsl.nz
+    steps:
+    - uses: actions/checkout@v1
+    - run: curl https://cli-assets.heroku.com/install-ubuntu.sh | sh
+    - run: cp example.env .env
+    - name: Build the docker compose stack
+      run: docker compose up -d
+    - name: Check running containers
+      run: docker ps -a
+    - name: Check logs
+      run: docker compose logs backend
     - name: Deploy app to Production
       if: github.ref == 'refs/heads/production'
       env:
         HEROKU_API_KEY: ${{secrets.HEROKU_PRODUCTION_API_KEY}}
         HEROKU_APP_NAME: ${{secrets.HEROKU_PRODUCTION_APP_NAME}}
       run: |
         echo $HEROKU_API_KEY | docker login --username=_ --password-stdin registry.heroku.com
-        docker tag $(docker-compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
+        docker tag $(docker compose images -q backend) registry.heroku.com/$HEROKU_APP_NAME/web
         docker push registry.heroku.com/$HEROKU_APP_NAME/web
         heroku container:release web -a $HEROKU_APP_NAME

.osv-detector.yml

@@ -1,8 +1,9 @@
 ignore:
+  - GHSA-248v-346w-9cwc
   - GHSA-6c3j-c64m-qhgq
+  - GHSA-9mvj-f7w8-pvh2
+  - GHSA-g92j-qhmh-64v2
   - GHSA-gxr4-xjj5-5px2
   - GHSA-jpcq-cgw6-v4j6
   - GHSA-rmxg-73gg-4p98
-  - GHSA-257q-pv89-v3xv # GHSA says affected versions are jQuery v.2.2.0 until v.3.5.0
-  - GHSA-vm8q-m57g-pff3
-  - GHSA-w3h3-4rj7-4ph4
+  - GHSA-rrqc-c2jx-6jgv

Dockerfile

@@ -14,8 +14,9 @@ FROM python:3.9
 
 ENV DJANGO_SETTINGS_MODULE=signbank.settings.development
 
-CMD pip install -r requirements.txt && \
-    bin/develop.py migrate --noinput && \
+RUN pip install "poetry==1.8.3"
+
+CMD bin/develop.py migrate --noinput && \
     bin/develop.py createcachetable && \
     (\
         (test $DJANGO_SETTINGS_MODULE = 'signbank.settings.development' && \
@@ -44,8 +45,10 @@ RUN echo "APT::Install-Recommends \"0\";" >> /etc/apt/apt.conf.d/02recommends &&
 
 # Install requirements
 WORKDIR /app
-ADD requirements.txt /app
-RUN pip --no-cache-dir install --src=/opt pyinotify -r requirements.txt
+ADD pyproject.toml poetry.lock /app/
+RUN poetry config installer.max-workers 10 && \
+    poetry config virtualenvs.create false &&  \
+    poetry install -v --no-root
 
 # Copy frontend assets
 COPY --from=node /app/signbank/static/js ./signbank/static/js
@@ -55,4 +58,4 @@ COPY --from=node /app/signbank/static/css ./signbank/static/css
 ADD . /app
 
 # Collect static assets
-RUN bin/develop.py collectstatic
+RUN bin/develop.py collectstatic --no-input

docker-compose.yml

@@ -16,10 +16,20 @@ services:
         links:
             - database
             - mail
+        depends_on:
+          database:
+            condition: service_healthy
     database:
         image: postgres:14
         environment:
           - "POSTGRES_PASSWORD=postgres"
+        ports:
+          - 5432:5432
+        healthcheck:
+          test: ["CMD", "/usr/bin/pg_isready", "-h", "database", "-p", "5432", "-U", "postgres", "-d", "postgres"]
+          interval: 3s
+          timeout: 2s
+          retries: 5
     mail:
         image: djfarrelly/maildev
         ports: